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(54) Method of settling charges 

(57) An IC card (6) has a card information memory 
area wherein there are written a master put)iic key nA. 
card secret keys pU and qU, a card public key nU, a 
card identification numt)er IDU, and a first master digital 
signature SA1 for Information including the card identifi- 
cation number. An IC card terminal (2a, 2b) has terminal 
information memory area wherein there are written a 
master public key nA. terrranal secret keys pT and qT, a 
terminal public key nT a terminal kientif ication nunrter 
IDT and a second master digrtal signature SA2 for irrfor- 
mation including the terminal kientifk:ation number IDT. 
When inserted into the IC card terminal, the IC card 
sends thereto the data nil. IDU, and SA1 . The IC card 
terminal verifies the digital signature SA1 by the master 
public key nA and, if it is valid, transmits the data nT. IDT 
and SA2 to the IC card. The IC card verifies the digital 
signature SA2 by the master publk; key nA and. if it is 
vald, transmits information correspondng to the curent 
remainder value V to the IC card terminal. The IC card 
terminal makes a check to see if the received informa- 
tion corresponding to the remainder value V is appropri- 
ate, arid if so, t)ecomes enabled for providing a service. 
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Description 

BACKGROUND OF THE INVENTION 

The presart invenfon relates to a method and s 
apparatis for setttement d accounts by IC caitfe which 
are used as prepaid cards of aedit caids. 

For instance, in an IC card wttich Is used as a pre- 
paid card, there is written the amount of money paid for 
its puTCfmse. and t>eforeOT after receivtng a service the 10 
card user irserts the IC card into an IC card terninal. 
wherein the remaining value after subtracting the 
charge for the service from the initial value is transrrut- 
ted to and written into the ICcard. 

In a conventional system of this kind, the IC card 75 
and the IC card terminal xisb the same cipher system 
arxJ have the same secret key and communicate to 
^ch other the balance information endphered by the 
common secret key. IC card and IC card tenrmal are 
designed so that such a seaet key cannot be found nor 20 
can it be altered wen if IC card term'rml should be 
revealed to an outsider. 

On the other hand, in the case of an IC card for use 
as a credit card, its identification numt>er and other nec- 
essary information are preregistered and the user is 2s 
allowed to receive his desired service when inserting 
the IC card into an IC card terminal and is charged for 
the service aftenrard. In a conventional IC aedit card 
system, upon insertion of the IC card into the IC card 
terrrvnal, the latter is connected online to a manage- 30 
ment c^er where IC card identification nurTt>er6 and 
other user information are registered, then the user 
irputs his registration numt)er and other required infor- 
mation t>y dialing, the thus input information is sent to 
tfie management center, wherein the user information ss 
registered in advance is used to verify the validity of the 
user. After the user's validity is thus proved, the user is 
allowed to receive his or her desired sendee at the IC 
card terminal. 

Such an IC aedt card system sirhilarly adopts, with 40 
a view to provt(fing increased security, a mettnxi in 
which: the IC card and the IC card terminal use the 
same cryptographic scheme and have the same secret 
key arxi they each authenticate she other's validity; a 
password input into the IC terminal is checked with its 45 
counterpart prestored in the IC card; the IC card identi- 
fication number read out of the IC card is sent from the 
IC card terminal to the management center which has a 
data base of klerttification numbers arxi other informa- 
tion of IC cards; the IC card identification nunnt>er is ver- so 
ifted in the management center; the result of the 
verification is transmitted to the IC card terminal; and 
when the IC card identification thus checked in the man- 
agement center is valid, the sennce specified t>y the 
card user starts through the IC card terminal. In some ss 
cases, the IC card and the management center each 
authenticate the other's valicfity directly through use of 
the same secret key. 



The conventional methocfe mentioned atx]ve aD call 
for communicalfon t>etween the management center 
and the IC card termir^ and onfine processing for veri- 
hcaticm t>efore or after the service s provided, and 
hence they have s ho ftcon un gs ttiat the managem&it 
center fadTity is irtant^tdy larg&^cale arvl that the 
cfmrge for the sennce includes communk^ation 
expenses. Moreover, the Nstory of service can be 
stored in the managonent center a IC card but (fifficulty 
is encountered in proving that the stored oontents are 
not falsa Although it is almost impossOjIe to falsify the 
stored conterrts of the IC card unless the seaet key is 
let out. the seaet key information in tfie IC card or IC 
cardtenninal is not perfectly protected and may in some 
cases 1^ out in a long time. In the case where the 
cryptographic scheme used is broken by third partes 
arid niany IC terminals are used t>y theni, particularly in 
the event tfiat IC cards and IC terminals are abused kyy 
unautfiorized persorts over a wide range, it is very cfifft- 
cult to change ail of the seaet keys at the same time- 
this poses a serious sociat problem as well-intentioned 
users cannot use their IC carcte for a long period of time, 
for instance. 

SUMMARY OF THE INVENHON 

It is therefore an object of the present invention to 
provide a method and apparatus for the payment of 
charges by IC cards wtiich eDntinate the need for com- 
munication (between the management center and the IC 
card terminal each time the card user inserts his IC card 
into the latter to receive his desired service and which 
permit detection of atxjse of a forged IC card or inten- 
tionally altered IC card terminal. 

This object is achieved with a method as claimed in 
claim 1. 

Prefened embodiments of the invention are sut>- 
ject-matter of the dependent claims. 

Adigital signature scheme capable of proving that a 
person who transmitted digital information acknowl- 
edged it. just like he puts his seal to a document, is 
already established as cfisdosed in. for example. 
"ESIGN: An Efficient Digital Signature Scheme," hfTT R 
& D Vbl. 40. Na 5. 1991 . pp687-686, or US. Patent No. 
4,625.076. According to the digital signature scheme, a 
document M and a seaet Q are used and a digital 
signature S(M) is aeated using a signature aeating 
function, then the signature S(M) and the document M 
are transmitted to the other party. The other party per- 
forms a computation by substituting ttie received docu- 
ment M and signature S(M) and a public key U into a 
signature verifying function. If the conputed result satis- 
fies predetermined concfitions. tiien it is verified that the 
digital signature S(M) was attached to the document M 
by a person having the seaet k^ Q. and he cannot 
deny the fact. In this instance, the Q and U are different 
prime numbers of extremely large values (that is, Q 
U), and this scheme features a mathematical property 
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that the value Q cannot be computed even if the value 
of U is known. Furthermore; even if sGghtly altered, the 
document can t>e promJ invafid. It is set forth in the 
atx3ve-noted Irterature that these cfigital signature func- 
tions couU t>e executed within a practical processing 
time on the scale of a program mcnntable on IC cards, 
through utOization of an algorithm called ESIGN. 

Other digital signature schemes applicatile to the 
present invention are an BGamal scheme (T E.* EKaa- 
mal: A public key cryptosystem and a sigrmture scheme 
based on cfisaete algorittim. Proc. of Crypto*84, 1984), 
a DSA (Digital Signature Algorithm, made pubiic by the 
National Institute of Standards and Techndogy of the 
U.S. Department of Commerce) scheme, and a Micali- 
Shamir scheme (S. MicaS and A. Shamir: An improve- 
ment of the Rat-Shamir identification and signature 
scheme. Proa of Crypto pp244.247. 1988), 
instance. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Rg. 1 is a block diagram iDustrating the system con- 
figuration of an errbodiment of the present Inven- 
tkxi; 

Fig. 2 is a block diagram shc^ng an exanple of the 
configuration of an IC card t^minal; 
Rg. 3 is a block diagram showing an example of the 
configuration of an IC card; 
Rg. 4A is a diagram showing processing of a man- 
agement center for setting the IC card terminal; 
Rg. 4B is a diagram showing processing of an IC 
card dispenser when dispensing the IC card; 
Rg. 4C is a diagram showing procedures between 
the IC card and the IC card dispenser for dispens- 
ing arxi recharging the tatter; 
Rg. 5 is a dia^am showing procedures t)etween 
the IC card and the IC card terminal; 
Rg. 5A is a functional t>kx:k diagram of the tC card 
in the embodiment of Rg. 5; 
Rg. 58 s a functk>nal t)kx:k diagram of the IC card 
terminal in the errtodiment of Rg. 5; 
Rg. 6 is a cfiagram showing ariother exanple of the 
procedure between the IC card and the IC card ter- 
minal; 

Rg. 7 is a diagram shewing, by way of example, 
procedures between the IC card, the IC card termi- 
nal and the management center at the time of writ- 
ing amount-of-money information into the IC card; 
Rg. 8 is a bkKk diagram showing the distrftxition of 
encrypting l^ys for cipher communication between 
the IC card, the IC card terminal, the IC card dis- 
penser and the management center; 
Rgi 9 is a dia^am showing the payment of charges 
by the IC card according to another errbodiment of 
the present invention; 

Rg. 10 is a diagam illustrating a modified form of 
the Rg. 5 embodiment which utilizes a time stanp; 
Fig. 11 is a diagram showing a time stamp updating 
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algorithm; 

Rg. 12isa(fiagram fflustratingamoc^tcationofthe 
Rg. 10 embocfiment which employs random num- 
bers; 

5 Rg. 13 is a dSagram showing procedures for regis- 
tering a password in an IC card applied to a credit 
card, by use of the IC card ternmal; 
Rg. 14 is a diagram showing procedures for receiv- 
ing a servk^ by use of the IC card with the pass- 

10 word regist^ed therein by the pnx:ess deputed in 
Rg. 13; 

Rg. 15 is a dagram showing another exam^e of 
the password re^stration procedure; 
Rg. 16 is a diagram showing procedures for recu- 
rs ing a service use of an IC card with the password 
regist^ed therein by the process depicted in Rg. 
15; and 

Rg. 17 is a diagram Qlustrating another emtxxfi- 
merrt of procedures for receiving a service by use of 
20 an IC card applied to a credit card. 

DESCRIFTIQN QF THE PR EFERRED EMBODI- 
MENTS 

25 In Rg. 1 there is iQustrated in bk)ck form an example 
of the configuration of a card system for making the pay- 
ment of charges through use of an IC card acoorcEng to 
the present invention. IC card terntirHils 2a, 2b, ... per- 
form processing for the payment of charges for services 

30 rendered to an IC card 6. For exarrple, when the IC card 
6 is a prepaid telephone card, the IC card terminals 2a. 
2b, ... provide service by telephone. The IC card terrrd- 
nals 2a. 2b. .... when installed, are each corinected via 
a communication network 3 to a management center 4 

35 whnh sets and hokis security information under its cor>- 
trol. In the following description the IC card terminals will 
be indicated gerterally by a numeral 2 except when a 
particular one of them is intended. The IC card 6 has ini- 
tial data written by tfie IC card d'^penser 5 when it s 

40 issued, and security information necessary for the IC 
card 6 \s provided from the management center 4. Inci- 
dentally, in the case where some functfons of the man- 
agement center 4 are mourrted on a portable telephone 
terminal or the like so that they are t>rought to the place 

45 where the IC card terminal 2 is focated, the IC card ter- 
minal 2 need not always be connected via the commu- 
rocation networic 3 to the management center 4 when it 
is installed. 

Rg. 2 illustrates an example of ttie internal oonfigu- 
50 ration of the IC card terminal 2 and Rg. 3 an exarrple of 
the internal configuration of the IC card 6. The IC card 
terminal 2 compr^ an IC card readerMriter 11 which 
reads and writes the IC card 6 ir^erted thereinto, func- 
tion buttons 12 as of a keyboard, a display 13, a tele- 
55 phone controller 14, a network interface 15 for 
processing communication via the communication net- 
work 3. a handset 16 and a speech circuit 17. 

In the IC card 6 there are stored in a ROM 61 pro- 
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grams for IC card procedures, (figptal signature creating 
and verifying algorithms and so tbrth. and a CPU 63 
controls the entire processing of the IC card whOe utiGz- 
ing a RAM 62 as a work area and conmunicates with 
thelCcardreaderVWriterll of the ICcaidtemtinalS via 
an UO interface 65 arvi contacts 66. 

F^. 4A shows the process that Is performed whan 
the IC card taininal 2 is installed. The IC card tennna] 
2 receives from the nmnagement center 4 such pieces 
of temrmia] information as Bsted below when rt is 
installed. 

(1) Master put>rK; key nA :br verifying a m^er dig- 
ital signature of the management center 4; 

(2) Terminal secret keys pT and qT for the ICcard 
terminal 2 to create a digital signature; 

(3) Terminal putiHc key nT for verifying the d^ital 
signature of the IC card terminal 2; 

(4) Term'nal ide ntifi c ati on nxwrber IDT for tdentrfy- 
ing the IC card tmiinal 2; and 

(5) Master digital signature SA(nT: * IDT) by the 
manag&nent center for the terminal public key nT 
arxJ the terminal identification number IDT where 
the symbol " * " represents concatenation~fbr 
example, 001 * 0101=0010101. 

After receiving these pieces of informatioa the IC 
card terminal 2 verifies the validity of the master digital 
signature SA(nT * IDT) through use of the terminal put>- 
Ik^key nT, theternunal identrficakm number IDT and the 
master public key nA, arid if the rhaster digital sigriature 
SA(nT " IDT) is valid, then the IC card temiinal 2 records 
tfiese pieces of information in a terminal information 
area of a memory in the telephone controller 14. 
Ho descrf7tk>n will be given of the method for verifying 
the digital signature, because it is disclosed in tfie afore- 
noted various digital signature schemes. As descrit>ed 
prevkxjsly, the verification of the dig^ signature S(M) 
generally calls for an unsigned full document M and a 
public key for verification use. txit in tfie foUowing 
descriptk}n there are cases where a simplified descrip- 
tion, Ihe digital signature is verified using the public 
key** or "digital signature is verified* is ised. 

Incidentally, the management center 4 has set 
tfierein its master seaet keys pA and qA arxi has func- 
tions of creating a (Afferent tenrdnal identification 
number IDT for each ICcard terminal 2 and the terminal 
put)lic nT and the terminal seaet keys pT arvl qT 
corresporxfing to the terminal identification number IDT. 

It is preferable tfiat the terrnnal secret keys pT arvJ 
qT t>e recorded in the terminal InformatkHi area 2Mi In 
the IC card terminal 2 which Is not easily accessl)le 
from the outside, for example, in a RAM of a one-chip 
CPU or battery backup RAM of a construction vvherein 
the power supply from the battery is cut off when the IC 
card terminal 2 is abused. 

In Rg. 4B there is shown the process tfiat is per- 
formed t>y the IC card dispenser 5 when it issues the IC 



card 6. The IC card 6 receives from the IC card cfe- 
penser 5 such pieces of card tnformatkxi listed below 
that need to be held in the IC card 6. These pieces of 
information are provided in advance from the manage- 
5 ment center 4 to the ICcard (fispenser 5. 

(1) Master pidsGc k^ nA lor verifying the master 
cfigHal signature of the management center 4; 

(2) Card secret keys pU and qU for the ICcard 6 to 
10 create it (figHal signature; 

(3) Card public key nU for verifying tfte digital signa- 
ture of the ICcard 6: 

(4) Card identification numt>er IDU for identifying 
the IC card 6; 

75 (5) Master dgital signature SA(nU * IDU) of the 
management center 4 for the card pii)Oc k^ nU 
and the card kientification number IDU. 

After receiving these pieces of card informatioa the 

20 IC card 6 verrTies the validity of the master digital signa- 
ture SA(nU * IDU) through use of the master pubGc key 
nA and, if it is vaGd, the IC card 6 recorcfe these pieces 
of card informatkxi in a predetermined area (hereinafter 
referred to as a card information area) eM^ in an EEP- 

25 ROM 64. Since the EEPROM 64 in the IC card 6 usially 
Is not directly accessible from the outside, these pieces 
of card InformatkHi cannot t>e read out to the outside of 
the IC card unless a predetermined procedure is exe- 
cuted. In partk;ular, the card secret keys pU and qU 

30 need not be read out to tfie outside of the ICcard 6 after 
once recorded therein, and hence they may preferably 
be held unreadable. In the process shown in Rg. 4B an 
amount of money is not yet written into the IC card 6. 
The management center 4 has functions of creating 

35 a different card identification number IDU for each IC 
card and the card publk; key nU and the card secret 
keys pU and qU conesponding to the IC card identifk:a- 
tion number IDU. 

Rg. 4C shows processing for writing into the IC 

40 card 6 the amount of mon^ prepaid therefor when it is 
a prepakJ card. The procedure shown in Rg. 4C is used 
for initial issuing of the IC card 6 and recharging an 
amount of mon^ into the IC card 6 when no money is 
leftover. 

45 The IC card 6 transmits to the IC card dispenser 5 
the pubBc key nU. the kientrfk»tfon nurriber IDU and the 
master digital signature SA(nU * IDU) which it read out 
. ofthe card information area 6Mi. The ICcard dispenser 
5 verifies the master digital signature SA(nU * IDU) k>y 

50 the master put)Gc key nA preset therein and, if valid, rec- 
ognizes that the IC card is valid. In this instance, the IC 
card dispenser 5 transmits to the ICcard 6 a master dig- 
ital signature SA(V * IDU) for a prepaid amount of 
mon^ V (i e. an Initial value of the remainder) and the 

55 card kientification numt)er IDU and the amount of 
money V, provided from the management center 4, and 
an IC card dispenser kientification numt)er IDC preset in 
the IC card dispenser 5. The IC card 6 verifies the mas- 
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ter (figital si^iatire SA(V * IDU) by the master pubGc 
keynAand. ifvafd, records these pieces of information 
in a us^e information area 6M2 of the EEPROM 64 in 
the IC card 6. 

It is also possitjie to employ a sy^em oonf^uratbn 
in which* for each IC card issuing process, the IC card 
(fispenser 5 is connected online to tfie management 
center 4 to transmit thereto the IC card identffication 
nurrber IDU and the value V received from the IC card 
6 and the IC card dispenser 5 rectives, in turn, tfie mas- 
ter digital stgnatire SA(V * IDU) of the management 
center 4. Alternatively, these pieces of information may 
be prestored in the IC card (fispenser 5. 

Rg. 5 shows processing for the card us^ to receive 
a service from the IC card terminal 2 by use of the IC 
card 6 which is a prepaid card. RgSw 5A and 5B show 
functional blocks of the IC card 6 and the ICcardtemv- 
nal 2. In this case, however, random generating parts 
6C and 2C are shewn corresponding to an embocfiment 
descnbed later in respect of Fig. & In the usage infor- 
mation area 6M2 of the EEPROM 64 in the IC card 6 
there are recorded, as card usage information, the irntial 
value V, master di^ signature SA(V * IDU) arxi card 
dispenser identification number IDC. When the user 
inserts the IC card 6 into the IC card reader/Writer 1 1 of 
the IC card terminal 2, the card pubCc key nU, fhe card 
klentificaion number IDU arxi the master digital signa- 
ture SA(nU MDU) are sent from the IC card 6 to the IC 
card terminal 2. 

The IC card ternun^ 2 verifies the master cfigital 
signature SA(nU * IDU) t>y the master public key nA in a 
verifying part 2A (Fig. 5B) and, if valid, sends via a 
transmitting/ireceiving part 2E to the IC card 2 the 
pieces of tenninal information nT, IDT and SA(nT * IDT) 
read out of the terminal information area 2Mv The IC 
card 6 receives these pieces of term'nai information via 
a transmitting/receiving part 6D and verifies the validity 
of the master digital si^iature SA(nT * IDT). If it is vafid, 
then the remaining value V, the kJentification nunt)er 
IDC and the master digital signature SA(V * IDU), which 
are pieces of card usage information read out of the 
usage information area 6M2 of the memory 64 in the IC 
card 6. and a cfigital signatiffe SU(V) of the IC card, 
which is generated for the value V in a digital signature 
creating part 6B through use of the card seaet keys pU 
andqU, are sent to the tC terminal 2. 

The IC card terminal 2 verifies the received digital 
signature SU(V) by the card pMlo key nU and the value 
V in the verifying part 2B. If it is valid, then the IC termi- 
nal 2 further checks the master digital signature SA(V * 
IDU) by the pieces of information nA, V and IDU to 
ensure that the value V has not t>een falsified, after 
which the IC terminal 2 displays the remairting value V 
of the IC card 6 on a display 13. While referring to the 
guidance provided on the display 13, the user specifies 
his desired service by pressing the function buttons 12. 
The IC card terminal 2 reads out the charge for the thus 
specified service from a Bst prestored in a memory of 



the telephone controller 14 or accesses the commmi- 
catfon network 3 and recmes the necessary service 
charge information via the network interface 15 from the 
communication network 3 or a service center (not 

5 shown). The IC card tennnal 2 compares ttie charge for 
the sennce (hereinafter referred to ^ a service charge) 
V and the remaining value V and, when the ^er is 
larger than the former, the IC card terminal 2 begins to 
prcMJe tfie specffied servtoa For exanple, in the case 

10 of a telephone service; when tfte value V s 10 yen or 
more, the tC card tenninal 2 provides a prompt on the 
(fisplay 13 for input of the telephone number of a sub- 
scn'ber to be caDed and cM^inates a caD as the user 
cfialsthenurTt>er. 

15 In the above, when any one of the digital signatures 
is found invalid thnxjgh verffkation, the IC card terminal 
2 stops processing at ttiat point and ejects or returns the 
IC card 6 to the user. 

After completion of the service or caD, the tele- 

20 phone controller 1 4 of the IC card tenninal 2 (a remain- 
ing value updating part 2D in Rg. 5B) siMacts the 
servfoe charge v-prestored in the memory of the tele- 
r^ione controller 14 or trar^mitted from the communna- 
tion network 3 or sennce center-from the remaining 

25 value V to obtain a new remaining value V*, after whk:h 
the telephone controller 14 aeates, in its digital signa- 
ture creating part 2B, a terrmial distal signature ST(V* 
* IDU) for the value V* and the card kJentificatfon nunt>er 
IDU through use of the terminal private keys pT and qT. 

30 Then the IC card terminal 2 sends the value V and the 
digital signature ST(V * IDU) to the IC card 6. 

The IC card 6 verifies the received digital signature 
ST{V * IDU) by the pubfic key nT in the verifying part 6A 
and, if it is vaiki, records the remaining value V and the 

35 other pieces of information nT. IDT, SA(nT * IDT) and 
ST(Nr * IDU) received from the IC card terminal 2, as 
card usage information, in the usage informatfon area 
6M2 of the EEPROM 64, erasing the previous card 
usage information. That is, the card usage informatfon 

40 in the usage informatfon area 6M2 is updated as indi- 
cated by the arrow in Fig. 5. 

It is also possfole to empfoy a configuration in which 
in the case of updating the usage information area 6M2 
in the EEPROM 64 of the IC card 6 with the current card 

45 usage infbnnatfon inducing the new remaining value V* 
received from the IC card terminal 2. the current remain- 
ing value V* is compared with the prevfous remaining 
value V in the usage information area 6M2 arxi if the lat- 
ter is g'eater than the former, then the new remairvng 

50 value V is regarded as abnormal or invalid. When such 
an at>normalrty is detected, the usage information area 
6M2 of the IC card 6 is not updated but instead a code 
representing the abnormality defection is written into 
the IC card 6 to prevent its further use. This ensures to 

55 prevent the r^naining value of the IC card 6 from being 
raised by altering the IC card terminal 2. Upon con^e- 
tion of the updating of the usage information area 6M2, 
an authentk;atk)n information (OK) representing it is 
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sent to the IC card terminal 2. 

In th^ entediment when &ther one of the (figltal 
signatures SA and ST is abnormal, the remaining value 
is not updated but instead the at>nOTmal contents of the 
IC card are recorded in a code forra 

Since the IC card 6 and the IC card tenninal 2 
trarsmit to and receive from each other their identifica- 
tion numb^s appended with the master coital sigr^- 
ture of the management center as mentioned above, 
even If the transmitted and received contents are falsi- 
fied by altering the IC card 6 or IC card term'nal 2, the 
abuse can be detected by the verffication of the (figital 
signature at the receivir^ sida Moreover, even if the 
contents of the IC card could be copied to another IC 
card using a stolen IC card terminal, the falsification of 
the master digital signature of the rranag&nent center 
ftM" the card identification nunt>er is so (fifficult tfiat tftere 
is no choice but to copy it; hence, such a copy can be 
checked by acquiring data of tfie abused ICcard. 

In Fig. 6 there are shewn procedures for providing 
increased security against wire tapping of communica- 
tion between the IC card 6 and the IC card terminal 2 
through use of random numbers in the procedure of 
sending the remaining value V* from the former to the 
latter. 

When the IC card terminal 2 recognizes the validity 
of the IC card 6 inserted thereinto, by verifying the mas- 
ter diktat signature SA(nU * IDU) received from the IC 
card 6 as described above with respect to Fig. 5. the IC 
card terminal 2 generates a random number R in a ran- 
dom generating part 2C (Fig. 5B) and sends it to the IC 
cafd 6 together with tfte pieces of information nT, IDT 
and SA(nT * IDT). The IC card 6 verifies tfie master dig- 
ital signature SA(nT * IDT) by the master piMc key nA 
and the received pieces of information nT and IDT 
Wfien the master digital signature is valid, the IC card 6 
generates a rarxtom nunrt>er X in a rarxiom generating 
part 6C (Fig. 5A) and aeates a digital sigr^ture SU(R * 
X*V)ofthe ICcaid 6 for the random number R,tfie ran- 
dom number X and the remaining value V by use of the 
card seaet pU and qU and then sends the thus 
created digital signature to the IC card terminal 2 
togetfier with the random number X and the pieces of 
card usage infbnnatkMi V. SA(V * IDU) and IDC read out 
of the usage information area 6M2. 

The IC card terminal 2 checks the master digital 
signature SA(V * IDU) to ensure that the remaining 
value V was provk:ted from a valid terminal (including an 
IC card dispenser) to the IC card 6. Furthenmore. the IC 
card terminal 2 verifies the digital signature SU(R * X * 
V) through use of the received X. V, the card pMlc k&y 
nU and the previously generated random number R to 
errsure that the remaining value V is one tfiat was 
received from the valid IC card 6. Then the IC card ter- 
minal 2 permits the start of the service specified by the 
card user. 

Upon completion of the service, the IC card termi- 
nal 2 generates a digital signature ST(R ^ X * V* * IDU) 



for a new remaining value V*, tfie card identific a tkxi 
nuiTber IDU and the random numbers R and X and 
sends it to the IC card 6 together with the new remaining 
value V. The IC card 6 vertfies the digital s^inature 
5 ST(R'^X*\r* IDU) by the pieces of inft»inatk>n IDU R. 
X, V* and nT to ensure tftat tfte remaining value V is 
valid, thereafter upc^ng the isage i n torm atp n ar^ 
&A2 with all tfie pieces of informatkm received from tfie 
ICcard terminal 2. 

10 With such a configuration, the random numbers R 
and X take different values for each use of the IC card, 
and consequently, the (figital signatures SU and ST also 
Gtoig& Hence, even if an outsider intercept signals 
b^een the IC card 6 and the IC card temtinal 2 and 

IS sends to tfie latter the same signals as those inter- 
cepted witfKHJt using any IC card, the senate (to not 
match t>ecause of (fifferent ranctom rHjmbers; tfieretore, 
wrong manipulation can be preverrted. Moreover, ev^ if 
the intercepted signals are sent by some means to the 

20 IC card 6 in the prcx^ess of ifidating the remaining 
value, the signals do not match, and hence such wrong 
manqxjlation can be prevented 

Fig. 7 shows procedures wttk;h provide inaeased 
security through use of random mimt>ers at the time of 

25 writing the prepaid value into tfie IC card 6 when it is ini- 
tially issued or recharged. It is assumed here tfiat tfie IC 
card dispenser 5 and the management center 4 are 
connected online as shown in Rg. 1. 

When inserted into the IC card dispenser 5, the IC 

30 card 6 sends thereto the card pM\c key nU, the card 
identification nurrber IDU and the master digital signa- 
ture SA(nU * IDU). The IC card (fispenser 5 verifies the 
validity of the master cfigital signature SA(nU * IDU) by 
the master public key nA to ensure tfiat the IC card is 

35 valid. Then the IC card (fispenser 5 generates a random 
numt>erYand serxisittothe ICcard 6 together with the 
anxxint information V and the (fispenser identifk;ation 
nurTt>er IDC. 

The IC card 6, in turn, generates the random 
40 number X and then generates a (figital signature SU(Y * 
X*V) for the random numbers Y and X and ttie amount 
information V, thereafter sending it to the IC card dis- 
penser 5 together with the random nurTt)er X. 

The IC card dispenser 5 verifies, in turn, the digital 
45 signatureSU(Y*X*V)bythecardpublk;keynUand,if 
it is valid, transmits the ranctom nuntos X and Y, the 
amount intomnation V and the card identif k:ak>n number 
IDU to the management center 4. 

TTie management center 4 generates a master dig- 
so ital signature SA(Y * X * V * IDU) for ttiese pieces of 
information received from the IC card (fispenser 5 and 
transrrnts it therettirough to the IC card 6. The IC card 6 
recognizes ttie validity of the man^ement center 4 
through verifk»tion of the master digital signature SA(Y 
55 * X ^ V * IDU) by the master publk; key nA and records 
the entire information received from the IC card (fis- 
penser 5 in the usage information area 6M2 in the mem- 
ory64. 
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InciderTtally, tfte IC card (fispenser 5 may be cf a 
configuration wherein it does not perfomi the verifica- 
tbn processing but only reads arvl writes data into the 
IC card 6. In such an instance, the IC card c&penser 5 
functions only as a relay for the respective infcamation. 
and the verification of digital signatures and the gen&a- 
tion of the random nuni>er are prelbrmed by the man- 
agement center 4. 

Fig. 8 shows procedures for setting a secret key 
wttich is ised not only to encrypt the contents of conr>- 
rrunication at the transmitting side txit also to decrypt 
them at the receiving side so as to prevent the informa- 
tK>n from being stolen or falsified on the communication 
path between the management center 4. the IC card ter- 
minal 2. the IC card 6and the IC card (fispenser 5 which 
are each located at a place remote frcmi the otfiers and 
transmit information ttiereto using a communication pro- 
cedura 

The man^&n^fTt c&ttet 4 has an erKrypting func- 
tion E for cipher conununication. a terrporary common 
key Ktemp and a common key WO for encryption use, 
and a key aeating master key KA for deriving ertcrypt- 
ing keys KT and KU for ci>her communication from spe- 
cific information such as terminal and card identification 
nurTt>ers IDT and IDU. In this case, it is possible to use, 
as the encrypting function E, an algoritfun FEAL (fis- 
ctosed in *'Fast data enciphemient algorithm FEAL." 
lECEJ Technkal Report IT 86-33 (1986). for instence. 
The endpherment of the document M t]y the key K wOl 
be incGcated by EK {M} • 

The IC card terminal 2 has the t^nporary common 
key Kterrp recorded in its memory when it was nanu- 
factured, and when it is installed, it receives the encrypt- 
ing terminal key KT and the common key KO by a cipher 
communication using the terrporary common key 
Ktemp and records these keys KO and KT in the mem- 
ory. Thereafter, the transmissbn and reception of sig- 
nals between the management center 4 and the IC card 
terminal 2. descn'bed previoi^ In conjunctk>n with Rg. 
4A. are carried out by cpher communkatkm using the 
key KT inherent to the terminal 2. 

The IC card 6 has the temporary conrvnon key 
Ktemp recorded in its memory when it was fakNicated. 
and wtten it is issued, it rec^ves the encrypting key NO 
and tfie common key KO via the IC card dispenser 5 
and records these keys KU and KO in the menKxy The 
encrypting key KU s generated from the card kJentif ica- 
tion nunrtt>er IDU under the master key KA. 

The key KU may be defivered from tfie manage- 
ment center 4 to the IC card dispenser 5 together with 
the pieces of data nA. IDU. ... when they are delivered 
as described prevbusly with respect to Rg. 5B. After 
this, the transmission and reception of signals between 
the IC card 6and the IC card dispenser 5 described pre- 
viously in respect of Rgs. 4B and 4C are performed by 
qper communication using tfie key KU inherent to the 
card 6. 

On the other hand, the transmissbn and reception 



of signals b^een the IC card terminal 2 and the IC 
card 6 shown in Rgs. 5 and 6 are carried out bf cpher 
communication using the common KO. 

In the case where the IC card dtepenser 5 and tfie 

5 management center 4 are connected onOne as 
descrS>ed prevk)isly with reference to Rg. 7, thetrans- 
mismn of the card identffication number IDU from the 
IC card 6 to the management center 4 &iables the latter 
to derive the key KU from the card kientification nurTt)er 

10 IDU by use of the master seaet key KA; ther^re. it is 
possble to provide increased security by using the 
aicrypting key KU inherent to the card, in place of the 
common k^ KO. for writing the prepaid anrKxmt into the 
card or recfkrging it 

15 While the foregoing description has been given on 
the assumption that the IC card cfispenser 5 and the 
management center 4 are k)cated at different places, 
they wa^ be formed as a unitary structure with each 
other, and it is also poss&(e to eridose the IC card tSs- 

20 penser 5 and the IC card tenninal 2 in the same hous- 
ing. Moreover, in the cases of transntitting the terminal 
seaet keys pT and qT from the management center 4 to 
the IC card terminal 2 and transmitting the card seaet 
keys pU and qU from the IC card dispenser 5 to the IC 

25 card 6. security can be further inaeased by transmitting 
the k^ together with the master digital signature of the 
management cent^ 4 and by verifying the signature at 
the receiving sida 

According a the errtxxliments of Rgs. 5 and 6. 

30 since the IC card 6 and the IC card terminal 2 each 
transmit the identification nurTt>er arvj the put)fic key to 
the othter togetfter with the master digital signature of 
the management center 4, even if the contents of com- 
munication are falsified t>y. for exanple. forcing the IC 

35 card terminal 2 open, the falsificalion can be detected 
by verifying the master digital signature of the manage- 
ment center 4 at the receiving side. Furthermore, even 
if the contents of the IC card 6 couM be copied to 
another IC card by a stolen IC card tenninal. for 

40 instance, the falsification of the master cfigital signature 
of the management center 4 s so cfiff kxitt that there is 
no chok:e but to copy it intact; therefore, the copy could 
be checked by acquiring data of the IC card used. 
BeskJes. it is irrpossfole to issue an IC card equiva- 

45 lent to a namal or valkJ one by altering a stolen IC card 
terminal or through of a personal corrputer and an 
IC card reader unless the master seaet key fa generat- 
ing the master digital signature of the management 
center, placed under strfot sipervisfon. is known. In 

50 addition, since the valkJity of the IC card and the IC card 
terminal is verified by the identification number 
appended with the master digital signature of the man- 
agement center 4 as referred to atxve. the IC card ter- 
minal 2 does not need to inquire of the management 

55 center 4 about the vafKfity of the IC card 6 prior to or dur- 
ing the servbe being rendered. 

Tuming next to Rg. 9, a descrption will be given of 
an embodiment of the inventfon improved from the Rg. 
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6 embodiment app&ed to the prepaid card system. As in 
the Rg. 6 emtxxfiment. the IC card system, ^ch IC 
card temninal and the IC card are bastcaDy identicaJ in 
confjguration wdh those shown in Rgs. 1, 2 and 3. 
except that the IC card terminals 2a, 2tx ... each have a 
list of invafid IC card identification numbers IDU1, IDU2, 
... prestored in a mmory area 2M2 of its internal RAM 
as descri>ed later on. The invalki identffication nimt>er 
list is written into the memory ar^ 2M2 by a down load 
from the manag^nent center 4. for instance, when the 
IC card terminal 2 is installed, and thereafter the list \s 
updated by the management center 4 as required. 

Fig. 9 shows processing for the card loa' to receive 
his desired service at the IC card terminal 2b cfifferent 
from that 2a used previously. The pieces of information 
or data prestored in the card information area 6M1 ofthe 
EEPROM 64 of the IC card 6 and in tfie temrunal infor- 
mation ar^ 2M^ of the RAM in the telephone controller 
14 of the IC card terrranal 2b are the same as in the 
case of the Rg. 6 embodment In this case, however, 
syrrtols representing pieces of information or data 
inherent to the respective IC card temtinals 2a and 2b 
win be identffied by superscripts "a" and V, respec- 
tively. In the usage information area 6M2 of the mmory 
64 of the IC card 6 there is retained the premie usage 
information, which includes the remaining value V*, the 
terminal identification number IDT, the terminal public 
key nT^, the random nurrters R^ and X, the master dig- 
ital signature SA(nT^ * IDT^ and the terminal digital sig- 
nature ST{R^ * X * V * IDT«) received from ttie IC card 
terminal 2a used previously as descrfoed in connection 
with Rg. 6. The IC card terminal 2b has the afbre-men- 
tioned list of invalid card identtfication nurTt>ers IDU1, 
IDU2. ... in another area 2M2 of the memory. 

When inserted irrto the IC card terminal 2b different 
from that used prevfously, ttie IC card 6 sends thereto 
the card identification number IDU. the card pubTic key 
nU and the master digital signature SA(nU * IDU). The 
IC card terminal 2b matches tfie received card identifi- 
cation number IDU witti the Bst of the invalid card kienti- 
fk;ation nurrfoers prestored in the memory area 2M2 
and, when no match is detected, the IC card terminal 2b 
verifies the master digital signature SA(nU * IDU). If this 
signature is valid, ttie IC card terminal 2b generates a 
rarxiom numt>er and sends it to the IC card 6 
togetfier wrtti a terminal publk; key nT^. a terminal kien- 
tifk:ation number \0[fi and a master digital signature 
SA(nT*' * IDT**). 

The IC card 6 verifies the master cfigttal signature 
SACnT** * \Uf^ and, if it is valid, generates a random 
number X' and a card digital signature SU(R^ * X* * V*) 
for the rarxtom numbers R^ and X* and the remaining 
value V and sends them to the IC card terminal 2b 
togettier with the pieces of the previous card usage 
infbmiation or data R*. X, IDT®, nT®, ST*{R® * X * NT * 
IDU) and SA(nT* * \DT). 

The IC card terminal 2b verifies the card dtgital sig- 
nature SU(R^ * X* * V*). and the terminal digital signa- 



ture ST^R® * X * V * IDU) and the master (figital 
signature SA(nT® * IDT^ of the prevkns card usage 
information all received from the IC card 6. When all the 
(figital signatures are valki. the IC card terminal 2b (fis- 

5 plays the remaining value V and a gutiance or prompt 
on the (fisp^ 13. The iser specifies his desired servfoe 
t)y pressing function buttons 12 and rec^ves the serv- 
foa Upon coiTpletion of the service, the IC card temtinal 
2b cr^es a new remaining value V" and a tOTiinal (fig- 

10 ilal signature ST*>(R***X* 'NT* IDU) and sends them to 
thelCcarde. 

The IC card 6 verifies the terminal digital signature 
received from the IC card terminal 2b and, if it is vaGd, 
then Lfxiates the usage info rm ati on area 6M2 with all 

75 the pieces of information received from the IC card ter- 
rranal 2b and sencfe thereto an autiientication signal OK. 
On ttie (4her fiand, tfie 10 card terminal 2b then gener- 
ates i^ge management information h from the card 
Mentifration numt)er IDU, tfie random numbers R® arxl 

20 X, the terrrinal klentifU:ation nurrto IDT^ and the 
remainder value V* received frorh the IC card 6 and tem- 
porarily recorcte them in another area 2M3 of the RAM in 
the telephone controller 14, together with the card kien- 
tiffoation number IDU. In this case, the usage manage- 
rs ment information h may be a numerical sequence 
composed of, for instance, IDU, R^, X, IDT® and V, or its 
data-compressed version by a hash functfon. 

The card kientiffoatfon number and the data of 
usage information stored in ttie IC card term'nal 2b are 

30 sent to the management center 4 at proper time inter- 
vals, for example, every day. In the database 4D in ttie 
management center 4 there are registered card klentif i- 
cation nurTt>ers (IDUq, IDU^, IDU2, ...) and IC card 
usage management information (hoi, ^ IDUq, 

35 for exanple) received so for. Upon newly receiving a 
card identifk»tion number and usage management 
information, the management center 4 first retrieves ttie 
card kientifkation nunrfoer. When the same card Uenti- 
fcation nurrfoer is not found, ttie card kientifk;ation 

40 mirber and the accompanying usage management 
information received from the IC card terminal 2b are 
newly registered. When ttie same card kientiffoation 
nunfoer is found, the usage management information of 
the card kfentifk;ation nunt}er already registered and 

45 the usage management information newly received are 
compared and checked to see if ttiey are the sama If 
not, the latter is additionally registered as new usage 
management information. If tfie same usage manage- 
ment information is found, then the card Mentffk:ation 

so number is registered in ttie invalkJ card list 4L (as 
IDU100). 

When having registered the card klentification 
number in ttie invalid card list 4U the management 
center 4calls all ofthe 10 card terminals 2 and transmits 
55 the registered card klentification number to the 10 card 
terminals 2, wherein it is additionally registered in the 
invafid card klentification number tet of the memory 
area 2M2. Hence, when the IC card of that card klentifh 
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caton nunrter s used, it can be deckJed to be abnor^ 
by checking its card identification nunnber and its use 
can be inhS>ited. By constructing the management 
center 4 so t^ upon registration of the card identifica- 
tton number in the invalid card list 4U all pieces of data 
of that card identification mHnt>er in the database 4D are 
&ased» the data retrieval time can t>e reduced. Moreo- 
ver, by corstructing ttie IC card ternrnnal 2 so tfiat it 
stores new remaining value information as well as the 
card identffication ruflfi>er and the usage/hfianagement 
information and transmits the new remaining value 
information to the management center 4 together with 
the usageAranagement information and by providing a 
database of remaining value information corresponding 
to each card identfication, the remaining value informa- 
tion can t>e used to specify the remaining value, lor 
example, when the data of the IC card 6 is destroyed. 

As win be seen from compar^on of 40 and 7 
with Fig& 5, 6 and 9, attfKXjgh in tfie atxTve the IC card 
6 does not initialty have, for example, the digital signa- 
ture ST(R *X*\r* IDU) and the terminal public key nT 
of the IC card temrunal 2 in tfie usage information area 
6M2 of the EEPROM 64, it is a matter of course that if 
initial values corresponcfing to th^ are recorded in the 
initial state as well, the usage/management information 
can t>e generated from the k>eginning of the use of the 
IC card and the whole usage/management information 
can t)e held under the control of the management center 
4. 

While intheatx]vethe IC card 6 and the IC card ter- 
minal 2 are configured so tfiat they have, in their card 
information areas 6M-^ and terminal information area 
2M^. the secret keys pU, qU and pT, qT for generating 
digital signatures and the public keys nU and nT for 
them, respectively, and transmit desired pieces of infor- 
mation together with the digital signatures, it is also pos- 
sa)le to omit such a function to simplify the processing of 
the IC card system. 

Also it is possible to omit either one of the random 
numt>er R and X although security decreases. Con- 
versely, by prestoring algorithms for endpherment of 
information to t>e transmitted arxi a convnon key for 
OTcipherment and deciphenment in memories of tfie IC 
card 6 and the IC card terminal 2, the mutual communi- 
cation between them can be made t>y cipher communi- 
cation to provide further increased security. 

As described above, according to the Rg. 9 embod- 
iment, since particular card infonnation numbers are 
regstered in the card identification number list of the IC 
card terminal 2, it is possible to inhbit the use of IC 
cards of the registered card identification numbers. Fur- 
thermore, when the IC card 6 is used, at least the termi- 
nal identification number identifying the IC terminal 
used and the random number generated by at Irast one 
of the IC card 6 and the IC card terminal 2 are regis- 
tered as previous information in the IC card 6 and when 
the IC card 6^ used next at least the card identification 
numt>er and usage/hnanagenient information delved 



from the card identtficaticyi ruKnber, the remaining value 
before upcMng arxl the previous information are regis- 
tered and supervised tn the management center as 
irtformation for specifying the initial state of the IC card 

5 6 only in the case of updating the remaining value infor- 
mation. When the card identifcation numt>er and the 
usage/inranagement information of the currently used IC 
card 6 match tfiose already registered , the card klent^ 
cation nurTt>er is registered as atxiormal in the card 

70 identfication number Gst of the IC card terminal 2. by 
which it is possible to inhibit further use of the IC card 6 
of the same card identification number as tfiat reg^- 
tered. 

Refening next to Rg. 10, another embodiment of 

15 the present invention wfll be descrbed as l>eing appBed 
to a prepaid card system. 

Rg. 10 shows procedures for tfie payment of 
charges by the IC card 6 in an improved version of tfie 
Rg. 5 embocfiment As in the Rg. 5 embocfiment ttie IC 

20 card system^ the IC card temninal 2 and the IC card 6 
are basfoaDy identical in configurBtion with tfiose 
depicted in Rgs. 1, 2 and 3. In ths instance, however, 
the IC card terminai 2 has in the ROM of the telephone 
controller a program which executes an algoritfim for 

25 updating a time stamp as descn'bed later on. For exam- 
ple, the afore-noted FEAL can k>e used as the algorithm 
for updating the time stanp. 

The initial value TSq of the time stairp TSt may t>e 
recorded in a memory area 2M4 of tfie RAM in the tele- 

30 phone coitroDer 14 after being received from the man- 
agement center 4 via the commimication network 3 
when the IC card terminal 2 is installed; alternatively, it 
may also be preset in the menwry area 2M2 of the RAM 
in the telephone controller 14 when the IC card terminal 

35 2 is fak>ricated. Update information t is initialized to a "0", 
for instance, and it is incremented by 1 upon each 
updating the time stamp TSf. In the RAM of the tele- 
phone controller 14 th^e is provided a terminal list area 
2M5 for regstering a list of terminal identfication num- 

40 b&s IDT of stolen or similarly trout)led IC card termi- 
nals, initial values TBq of the time stamp corresponding 
to them and the update information | at tfie time wfien 
each trout3le was found. ' 

In the configuration of Rgs. 1 through 3. the termi- 

45 nal identification number IDT. the initial value TSq of the 
time stamp and the ifxiate informatfon t set in each IC 
card temninal 2 are registered in the management 
center 4. The time stamp TSt set in the respective IC 
card terminal 2 is independently updated by its internal 

50 timer from the initial value TSq, for example, every day 
under a predetermined algorithm; namely, the time 
stamp is replaced with a new time stamp in a sequential 
order [TSq TSi -> TSa ^ ... TSi -> ...J. and thi^ the 
previous time stamps cfisappear one after another. The 

55 updating of the time stanp need not always t>e periodic 
but may ateo be periodic. Upon each updating of the 
time stamp, the number of updates (i.a the update infor- 
mation a data) t is updated to t+1. Each time stamp TSt 
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and the ijpdate infnTnation t need only to 00^^ 
each other, that is, the time stenp may be a mere synrh 
tx>l and need not k>e a quantity. 

Upon updating the update information t the tC card 
ternvnal 2 autonriatk:aDy caDs the ntanagenrient center 4 
and transmits thereto the terminaJ identification number 
and the renewed ifxlate information. The manag^nent 
center 4 replaces the received update information t for 
the preregistered upctete informatfon t of the oorre- 
spondng ternHnal identffication number (DT. Inciden- 
tally, it is necessary to utOize. for updating the time 
stamp TSt , an algorithm which generates the succeed- 
ing time stamp TS14.1 from ti .e ciffrent time stamp TS| 
under an encryption algorithm E using an encrypting 
key K. as exenpOfied in Rg. 11. to thereby prevent the 
premus time stamp from generation. The afore-noted 
algorithm FEAL. for instance; can be used as such an 
algorithm. The initial value TSq d the time stanp regis- 
tered in the management center 4 is not updated. In 
such a state, when the IC card temmnal 2 is stolen, the 
management center 4 is capable of detecting, from the 
terntinal identification number IDT of the stolen IC card 
terminal 2. the initial ^alue TSq of the time stamp of the 
stolen IC card tenninal 2 and the update information t of 
the time stamp at the time when the IC card terminal 2 
was stolen. These pieces of information or data are reg- 
istered in the terminal list of ail IC card terminals 2 by a 
down load from the management center 4. 

Fig. 10 is explanatory oftfte processing for the user 
to receive his desired service at the IC card temunal 2b 
through use of the IC card 6. in the Rg. 10 embocfiment, 
however, the IC card 6 side has no digital signature gen- 
erating function. In the card information area 6M1 of the 
EEPROM 64 of the IC card 6 there are stored the mas- 
ter piAjl&c key nA. the card identifk;ation nunrto IDU 
and the master digital signature SA(IDU) and in the 
usage information area 6M2 there are stored the 
remaining value V. the temrtinal identifkatfon nurrter 
IDl^, the terminal public key nl^. the update informatfon 
t^, the terminal digital signature ST^ (TS^O ^ 
starrp TS^, and the master digital signature SA(nT * 
\DT) whk^ are the card usage informatbn received 
from the IC card tenninal 2a previously used. In tNs 
example the master digital signature SA(IDU) hekJ in 
tfte IC card 6 is shown to fc)e a master digital signature 
for only the Klentif k:atk>n numt)er of the IC card, but it is 
also possfole to use a master digital signature SA(IDU * 
mU) for the concatenation of the kJerrtffk^tfon number 
IDU and predetermined information mU. 

In the terntinal informatbn area 2M^ of the RAM in 
the telephone controller 14 of the IC card terrnnal 2b 
there are stored the terminal kjentifk»tk>n number IDT^. 
the terminal seaet keys pT and qT for creating the dig- 
ital signature, the ternunal put)lk: k^ nT''. the master 
public key nA and the master digital signature SA(IDT^ 
* nT^ and in another predetermined area 2M4 there are 
recorded the latest time stamp TS^t ^ update 
infonmation t^ of the IC terminal 2b. In still arK>ther area 



2M5 of the RAM in the IC card tatranal 2b there are 
recorded, as a taUe. terminal kJenttftcatkm numbm 
ID'H, IDl^, ... of stolen or simi^ troidiled IC card ter- 
nmiate, their time stamps TSio, TS^o. and update 
5 informatbn ^, t*^, ... at the points when they were found, 
wfibh are provided from the managem^ center 4. 

When inserted into the IC card r^er/writer 11 of 
the IC card tmiii^ 2b, the IC card 6 s&ids thereto the 
identification nurrto IDU and the master digital signa- 
10 ture SA(IDU) as in the embodiments descrbed atxyve. 
The IC card terminal 2b verifies the rec^ved mast^ dig- 
ital signature SA(IDU) by the master piiilb key nA and, 
if it is valid, then sends the kientification number IDT^. 
the terminal publk: key nT^ and the master (figital signe- 
rs ture SA(ID1^ * nl^ of the IC card terminal 2b itself to 
the IC card 6. Then the IC card 6 verifies the valkfity of 
the received master signature SA( ID1^ * nl^ by 
the mast^ public key nA. The process performed so far 
is the same as in the mbodiment of Rg. 5. 
20 When the master digital signature SA(IDT*'*nT*) is 
valkl, the IC card 6 sends pieces of the previous card 
usage infonnation V. IDT*, t*. nT«, STVS^t) and SA(n"P 
* IDl^ to the IC card terminal 2b. The IC card terminal 
2b matches the received card Mentifk^ation number 
25 \DT with each piece of the data IDfi, IDT^, ... in the 
troubled terminal list and. when they do not match, dis- 
plays remaining value V and a gukiance or prompt on 
the display 13. When tfie user specffies his desired 
servbe t>y pressing the function txrttons 12 wftile refer- 
so ring to the guk^ce displayed on the display 13, the IC 
card terminal 2b reads out the charge V for the specified 
servbe from a list prestored in a memory of the tele- 
phone controller 14 or receives the charge v from the 
servbe center {ntil shown) via the comnunication net- 
35 work 3. Then the IC card terminal 2b compares the 
charge v and the remaining value V and starts to pro- 
vide the specified servbe when the remaining value V is 
larger than the service charge v. Upon conpletion of the 
servbe, the IC card terminal 2b subtracts the servbe 
40 charge v from the remaining value V to obtain a new 
remainder value NT and generates a digital signature 
ST^TTS^t) ^ cunrent time stamp TS^t by the tenni- 
nal seaet or private keys pT^ arxi qT^ and sends it to 
the IC card 6 together with the pieces of data V* and t^. 
45 The IC card 6 updates the usage information area 6M2 
in the EEPROM 64 witii all the pieces of information 
received from the IC card terminal 2b tog^er with the 
remaining value V*. 

In the at)Gve processing, when the terminal identifi- 
50 cation number IDT^ sent to the IC card terminal 2b 
matches with any one of those in tfie trout)led terminal 
list the following processing is performed. 

(1) Let IDTi represent tfte terminal kientifbation 
55 number in tiie rst that matched the terminal identifi- 
cation number IDl^ sent to the IC card terminal 2b. 
The initial value T&q of the time starrp correspond- 
ing to the terminal bentifbation numt)er IDTi is 
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recurrsively cak:utaled by ttie mini)er of updal^ 
the update informafion received from the IC card 
6 under the algorithm dRg 11 registered as a pro- 
gram of the IC card terminal 2b, and the time stamp 
TSi| corresponcfing to the update information t° b 5 
obtained bs foQowsi 

TS\) -> TSii -> TSi2 T9t 

(2) The IC card terminal 2b verffies the vafidlty of 
tfie signature STPfTS^O by stamp TSit 
obtained the above calculation aixl the public 10 
key nT received from the IC card 6. 

(3) When the digital signature is not vafid. the IC 
card terminal 2b decides tfiat the IC card 6 is abnor- 
mal or invafid and stops furth^ processing, then 
ejecting or returning ttie IC card 6 to the user. is 

(4) When the digital signature is vaOd, the IC card 
tenrinal 2b oonrqpares update informatm t corre- 
sponding to the above-noted terminal identification 
numt>er IDT^ in the troi^ed terminal Dst and the 
update infomnationt^ received from the IC card 6. 20 

(5) When t° s ^, the update information t^ is judged 
as Lfxiate information generated before the pieces 
of data ID'H, T9q and ^ were registered in the t^mi- 
nal Gst: that is, the IC card 6 is judged to be an IC 
card whose card usage irifiorrhation(terrninaliderTti- zs 
fication numt)er IDTi, update information ^. public 
key nV and dtgrtally-signed time stamp ST^(TSit)) in 
the usage information area 6M2 had been updated 

tiy a stolen IC card terminal 2j (not shown) of the 
identification nurTt>er IDli before it was stolen. As 30 
the result of this, the IC card temtinal 2b regards 
the IC card 6 as valid and performs the subsequent 
processing accorcfingty. 

(6) When t^ > f the update information t° is judged 

as ipdate information generated after the pieces of 3S 
data \0V, T&q and # were registered in the troubled 
terminal list; that is, the IC card 6 is judged to t>e an 
IC card whose card usage information was updated 
by the IC card terminal 2j of the identiftcation 
nunber \0V after it had been stolen. As the result 40 
of this, the IC card temninal 2b regards tfie IC card 
6 as invalid and discontirujes the process and 
ejects or detains the IC cards in the IC card terminal 
• 2bL 

45 

Fig. 12 illustrates another embodiment of the inven- 
tion which provides further increased security through 
use of random numt>ers in the Fig. 10 emlx)diment as in 
Rg. 6. In a ROM 61 of the IC card 6 tfiere are recorded 
an algorithm for generating the digital signature and an so 
algorithm for generating the rarxfom numbers. In the 
card information area 6M1 in the EEPROM 64 of the IC 
card 6 there are stored the information in the card infor- 
mation area 6M1 in Rg. 10, together with the card seaet 

pU arxi qU and the public key nU for the verifica- ss 
tion of the digital signatura In this case, however, the 
master digital signature \jse6 is SA(IDU * nU). In the 
usage information area 6M2 in the EEPROM 64 tfiere 



are held aD pieces of card usage information received 
from the previously used IC card terminal 2a. ttiat is, the 
terminal identi fi c afon nunt>er IDl^, the pMic key nT, 
the m^er digital signature SA(nl^ * IDl^ for them, the 
update information t^, tfte rarxtom nurrfoer R°, the previ- 
ously generated random rtimber X. a first cfi^tal signa- 
ture Snr(R* * X * V * IDU) = generated by the 
previously i^ed IC card terminal 2a for the rarviom 
numbers R° and X. the remaining value V and the card 
identfficatfon nurrber IDU. and a second (£gital signa- 
ture Sl^(TS^t * ^ generated k>y the previously used IC 
card terminal 2a for the first digptal signature and ttte 
time stanp TS^^. 

When inserted into ttie IC card reader/Writer 11 of 
the IC card terminal 2b. the IC card 6 sends ttiereto the 
card tdmtffication number IDU, the public key nil and 
the master cfigital signature SA(SDll * nU) as in tfie 
case of Ftg. 10. and the IC card terminal 2b verifies the 
master cfigtal signature SA(IDU * nil) tyy the pubGc key 
nUL Wh«i the master digital signature is vaGd. the IC 
card terminal 2b sends tfie terminal idOTtffication 
numb^- IDT^, the pidsGc key nl^ and the master digital 
signature SACIDT** * nf^ to the IC card 6. The IC card 
6. in turn, verifies the master digital st^iature SA(ID1^ 
*nT^ and. if valid, sends to the IC card terminal 2b the 
pieces of data R^. X, V. IDU, S«, IDT, t«, SA(nT * IDT), 
nT* and S1*(TS^, * which are the previous card 
usage information. 

. Then the IC card terminal 2b verifies tfte valklity of 
the first digital signature S° by the public key n'P. When 
the signature is valid, the IC card terminal 2b 
matches the recced tenrinal identificatfon number 
IDl^ with data in the troubled tenninal fist, and if the 
fomrier does not match the tatter, the IC card terminal 2b 
generates the rarKfom number R^ and sends it to the IC 
card 6. In response to tfus, the IC card 6 generates the 
random nurTt>er X* and generates a digital signature 
SU(R^ * X* * V) for the random numbers R^ and X' and 
the remaining value V by use of the secret k^ pU and 
qU, then sends it to the IC card terminal 2b tog^er with 
the random nurrfoer X* and tfie card put)Gc k^ nU. The 
IC card terminal 2b, in turn, checks the validity of the 
recwved digital signature SU(R^ * X * V) by the public 
key nU also received from the IC card 6. When the dig- 
ital signature is valid, the IC card terminal 2b displays 
the remaining value V on the display 13 and then pro- 
vides a predetermined servfoe. After completion of the 
servfoe the IC card terminal 2b c^Jtains the new remain- 
ing value V and generates a first digital signature 
3-jb(Rb * x *>r * IDU) = S^'for the random nun*>ers R^ 
and X, the remaining value V* arxi the card identification 
nurrtjer IDU by use of the terminal secret keys pT^ and 
qT^ and, at the same time, generates a secorxl digital 
signature ST^trS'^t * for the time stamp TS*', and the 
first digital signature S^, thereafter serxling them to the 
IC card 6 together with the new remaining value V and 
ttie update information t^. The IC card 6 checks the 
validity of the received first digital signature by the 
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temval pubik: key nT^ also recent frtHn the 1^ 
nal 2b and, if it is vaOd. then ifxlates the usage infonna- 
ijon area 6M2 with the whole infonnation received frm 
the IC temir^ 2tx In the event that the vaficfity of tfie 
distal signature cannot be verged in the above, the IC 5 
caid terminal 2b stops processing at that point and 
ejects a returns the IC card 2. 

In ttte case wfiere tfie data IDfi tfiat matches tfre 
data IDl^ sent to the IC card terminal 2b is framd in the 
troii3led terminal list, the sanrte process as descrft)ed 10 
previously is performed. In tfts em^xxitment. since the 
random nuTit>ers R and X. generated by tfie IC card ter- 
minal 2 and the IC card 6. are utdized in the transmis- 
sion and reception of information between them, the 
contents of signals wOl not ever k>ecome the same; is 
hence it is possible to prevent an atxjse using an inter- 
cepted signal. Moreover, since the IC card 6 and the IC 
card tenranal 2 not cmty condiKrt ntutual verifk:ation of 
the master digital signature t>ut ateo generates their own 
cfigital signatures and mutually verify them, the system 20 
seci^ can be further increased. 

Also in the embocfiment of Rg. 12, by prestoring 
algorithnrs for erKryption and decryption of transmis- 
sion data and common encrypting and decrypting 
in the memories of the IC card 6 and the IC card termi- 2s 
nal 2, the communication t>etween them can be made 
t>y a cpher communication-this also provides further 
increased secuity. 

As descrbed abcve, accorcGng to the embodiment 
of Figs. 10 and 12. when the IC card 6 is used, the ter- 30 
minal identificatbn number of the IC card terminal 2 
used, the public key for ve^ifying the digital signature 
generated by the IC card terminal 2, the digital signature 
produced by the IC card terminal 2 lor the time starrp at 
the time of the use of the IC card 6 and update informa- 3s 
tion of the time stamp are recorded as card usage infor- 
mation in a predetermined memory area in the IC card 
6. When the IC card 6 is used next at a different ICcard 
terminal 2. the IC card 6 sends thereto the card usage 
information recorded In the above-said memory, and the 40 
IC card terminal 2 specifies the previously used IC card 
terminal on the basis of the terminal identification 
nuiTt>er in the card usage information sent from the IC 
card 6. The IC card terminal 2 matches the specified 
terminal numt)er with tfiose registered in the terminal list 45 
in the IC card terminal 2, and if the specified terminal 
nurTt>er matches any one of the registered one, then tfie 
IC card terminal 2 will read out of the terminal list the ini- 
tial value of the time stanp corresponding to the regis- 
tered terminal nurrter arxf tf>e update information also so 
corresponding thereto. 

The IC card temiinal 2 updates the initial value of 
the time stamp t)y a predeternaned algoritiim on the 
t>asis of the update information received from the IC 
card 6 to obtain the time stamp of the IC card terminal ss 
at the time when its was used previously. The IC card 
terminal 2 verifies the validity of the digital signature for 
tfiat time stamp tiy the time starrp itself and the put)lic 



key received from the IC caiti 6 to ensure that the 
update information received from the IC card 6 is vaGd. 
When the update information is vaGd, the IC card termi- 
nal 2 matches it with the pieces of update information 
recofded in the afore^said terminal list to make a check 
to see if the time of the previously of the ICcard at tfte 
IC card terminal 2. regstered in the above-m^oned 
tenninallistofthe IC card 6 goes before or comes after 
the time when the t&'mral nunnber was registered in tfte 
t^minal list If the IC card terminal 2 fails to verify the 
validity of the cfigital signature, it wiD judges tfiat the 
u^xlate information or dgital signature received from the 
IC card 6 is rtot normal or valid information and proc- 
esses the IC card as an at>normal or invalid card. Fur- 
thermore, if the terminal identffication nurTt>er of the IC 
card terminal 2 is specified in the management center 4. 
the initial value of the timestarrpofthe IC card terminal 
of tfie specified terminal identiftcatk>n niint)er sm6 the 
update information at thiat time point can k)e known and 
these pieces of information can be registered in the ter- 
ntinal Ost of tfie IC card terminal 2. 

Next, a description will be given of an embodm&it 
wherein the IC card of the present invention 6 appOed to 
a aedit card. In tiiis emixxiiment the IC aecfit card sys- 
tem to which the IC card and the IC card terminal of the 
present invention are applied has the same configura- 
tion as shown in Rg. 1. The IC card terminals 2a. 2b, 
• * • perform tfie verification processing t>y use of the 
IC card 6 and provide various services. The manage- 
ment center 4 hokis the charges for the servk:es used 
by the IC card 6. Each IC card terminal 2 stores in its 
memory the kientif ication numbers of the IC cards used 
at that terminal and the charges for the services ren- 
dered and automatically calls the managonent center 4 
at regular time intervals, for example, every day and 
transmits the stored information to the management 
center 4 via the oommunk^ation network 3. The man- 
agement center 4 sums the charges for each card 
kJentifrcation number arxJ demands payment of each 
Lser every month, for instarwe. The internal construc- 
tions of each IC card terminal 2 and the IC card 6 are 
the same as shown in Rga 2 and 3. 

Rg. 1 3 is a diagram for explaining the procedure for 
the user to register a password in the IC card 6 by use 
of the IC card terminal 2. In the card information area 
6M1 of the EEPROM 64 of the IC card there are written, 
at the time of issuing the IC card 6 from the IC card (£s- 
penser 5. the Mentification numt)er IDU for specifying 
the user, a password s^ng number Ns assigned to 
each user, a master digital signature SA(Ns) generated 
by tfie management center 4 for the password setting 
nurTt>er Ns by use of a master key. and master digital 
signature SA(IDU * SA(f\ls)) generated the manage- 
ment center 4 for the identification number IDU arxJ the 
master dgital signature SA(Ns) by use of the master 
key. Wfien these pieces of data are written, the validity 
of the password setting nurTt>er Ns can be checked 
through verification of the master dig^l signature 
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SA(Ns) by the piibOc key nA. 

In the terminal tnformation area 2M^ CTf the RAM in 
the telephone controDer 14 of the IC card tennina) 2 
there are pre^ored the master pubGc nA for verify- 
ing the master digital signatures created by use of the s 
master key; the terminal seaet keys pT and qT for gov 
mating the cfigital sigmtture t>y the tC card teromial 2 
and the terminal pubfic nT tor verifying the digital 
signature aeated by the IC card terminal 2. 

When inserted into the IC card reader^writer 11 of io 
the IC card terminal 2, the IC card 6 sends thereto the 
id&itffication nurTi>er IDU, the master digital signature 
SA(Ns) and the (figital signature SA(IDU ^ SA(Ns)). The 
IC card terminal 2 verifies, in turn, tfie digital signature 
SA(IDU * SA(tsls)) by the master pubfic key nA to ensure is 
the validity of tfie kJentffication niAnba- IDU. ff the iden- 
tffication IDU is judged to t)e invalid, then the IC card 6 
is ejected or retumed and the process is discontinued. 
When the identifk:atk>n nurrte IDU is judged to be 
vaTid. a prompt for the Input of p^sworcT is displayed 20 
on the display 13. During the display of this prompt the 
input of a passwvord is enabled and the selection of the 
password regtetration by pressing a particular one the 
function buttons 14 is made effective. 

Upon selective pressing of tfie password regtstra- 2s 
tion command button among the functkni buttons 14, 
the IC card terminal 2 proceeds to the password regis- 
tratkKi process. The IC card terminal 2 sends a notice of 
the password registration to the IC card 6 to indicate 
thereto the start of the password registration process, 30 
while at the same time the IC card terminal 2 provides a 
display "ENTER IDENTIFICATION NUMBER" on the 
display 13 to urge the user to enter the identification 
number. Upon entering of the identification number IDU' 
by the user with pushbuttons, the IC card terminal 2 35 
matches it with the identffication number IDU previously 
received from the IC card 6 to check the validity of the 
identifkation nurrber IDU* input the user. When the 
tx>th identification nurTt>ers do rxst match, tfie IC card 
terminal urges again the user to input the kientifkation 40 
numt}er. If the identification number IDU' does not 
match the previous one IDU even after being entered 
three times, for instance, the IC card terminal 2 judges 
that the IC card 6. discontinuing the process. When the 
identifk»tion numbers match, the IC card terminal 2 45 
produces a dsplay "ENTER R/VSSWORD SETTING 
NUMBER" on ttie display 13. prorrpting ttie user to 
enter the setting nunt>er. 

Upon entering the setting number Hs* by the user 
with pushtxittons, the IC card ternrtinal 2 sends the set- so 
ting numt>er Ns' to the IC card 6. The tC card 6 matches 
the cunrentiy received setting number fsis' witti the set- 
ting number f^Js prestored in the afore-mentioned mem- 
ory to check the valkirty of tfie setting number Ns* 
entered by the user. If they not match, ttie IC canj 6 ss 
sends a mismatch notice to the IC card terminal 2, 
which urges again ttie user to enter ttie setting nurrber. 
In the event that the current setting number does not 



match the premus one even after being entered three 
time, for exanrple, the IC card terminal 2 judges ttiat ttie 
IC card 6 being i£ed is abused and ejects it and d^corv 
tinues ttie process. Wh^ the setting numbers match, 
ttie IC card 6 s&vfe an authenticatkxi signal OK (a first 
autttentication notice) to the IC card termina) 2. The IC 
card terminal 2 provides a dsplay "EfsTTER PASS- 
WORD" on ttie dsplay 13, prompting the user to enter 
the password. Upon entering of the password Nc by the 
user witti pushbottor^ the IC card terminal 2 aeates a 
digital signature ST(fsk:) for the password by of 
the temninal secret keys pT and qT and sends the digital 
signature ST(Nc) and the terminal pubGc k^ nT to the 
IC card 6 together with the password Na The IC card 6 
verifies the digital signature ST(lsk:) by the tenrvnal pub- 
He k^ nT to check the valitfity of the password Nc. 
When the password Nc ts valid, it is recorded in ttie 
RAM 62. The IC card 6 t>ecomes enabled lor only 
after tfie password Nc is thus registered ttier^. 

While in the above the setting number Ns' is verified 
on ttie IC card 6, it can also be checked at the IC card 
tenninal 2 if the setting number Ns is also sent to ttie IC 
card terminal 2 togettier with ttie card kientffk:ation 
number IDU at the beginning. However, ttiis procedure 
is not preferat)le from the yiewpoint of security, because 
the setting number f^-infbrmation ttiat must be kept 
strictly secret-is transmitted from the IC card 6. 
BeskJes, in the case where the klentif teation number or 
setting number, entered t>y pushbuttons, do not match 
the previous one even after being entered three time, 
the IC card 6 could be dsabled for further use by writing 
thereinto to the effect that ttie IC card 6 is invalkJ or 
abused. 

Rg. 14 is a c£agram for explaining the process in 
whk:h the user receives a servrce at the IC card terminal 
2ttirough use of the IC card 6 which is a credit card. In 
the RAM 62 of the IC card 6 there is recorded the pass- 
word fsic in the manner descril)ed atx3ve. When inserted 
into the IC card reader/Writer 12 of the IC card terminal 
2, the IC card 6 sends thereto the kJentif ication number 
IDU and the master digital signatures SA(Ns) and 
SA(IDU * SA(Ns)). The IC card temninal 2 verifies ttie 
digital signature SA(IDU * SA(tMs)) by ttie master public 
key nA to check the validity of the kientifk»tion numt>er 
IDU. When ttie identifk^ation number IDU is not valki, 
the IC terminal 2 ejects the IC card 6 and discontinues 
the process. When the dentification number is valid, ttie 
IC card terntnal 2 provides a display "ENTER PASS- 
WORD" on ttie display 13. While ttiis cfisplay is being 
provkied. the entering of the password is alkywed or 
enat)led and the re-registration of ttie password by 
pressing the function buttons 14 is ateo effective. In 
other words, if desired, the password can be clianged. 
At this time, when the user dials the password Nc*, it is 
sents to ttie IC card 6, wherein it matched witti ttie 
prestored password Nc. When tti^ do not match, ttie IC 
card 6 sends a mismatch notice to ttie IC card terminal 
2, which prompts tiie user to re-enter the password. In 
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the even that the password does not match the 
prestored one even after entered three times, for exam- 
ple, the IC card terminal 2 judges that the tC card 6 is 
invalid, then ^ects it and ctecontirujes the processing. 

When the password nralches the prestored one. the 5 
IC card 6 sencte an authenticaticm signal OK (a second 
authenticatkvi notice) to the IC card terminal 2. which, 
in turn, provides on the display 13 an indication that ttie 
i^er^ specified service is posaUe, and then provides 
the servica For tnstarKe, in the c^e of a commurtica- w 
tion service by telephone, tfte IC card terminal 2 cfis- 
plays that the telephone nurTt)er of the other party to be 
caDed can be cfialed. and then connects the user to the 
party of the rumt>er dialed by the user. Thus, the user is 
allowed to receive the commmication service and upon is 
completion of the service the IC card teimnal 2 records, 
in ttie service information area 2M6 of fts internal mem- 
ory, the identification nun^ IDU tdentrfying the user, 
tfie date of use D and the charge V and th^ ejects the 
IC card 6, corrpl^ing tfie process. The data stored in so 
tfie internal memory is transmitted to the management 
center 4 once or twice daOy, for example. The mar^ge- 
ment center 4 sums up the charges for each identifica- 
tion number and siiunrts l)ills to the users and receives 
payments tfierefrom every month. 2s 

Fig. 15 is a diagram illustrating anoth^- embocfi- 
ment of the present invention which provides increased 
secuity of the password registration process shown in 
Fig. 13. In the card information area GM^ in the EEP- 
ROM 64 of the IC card 6 there are stored the card secret 30 
keys pU and qU for generating tfie digital signature by 
tfie IC card 6 aixl the card public nU for verifying the 
digital signature created by the IC card 6 as well as the 
pieces of information or data IDU. fsls. SA(fMs) and 
SA(IDU * SA(Ns)) shown in the corresponding area in 3S 
Ftg. 13. Furthermore, the IC card 6 and the IC card ter- 
minal 2 each have a random nurTt>er generating pro- 
gram stored in its memory. In the password registration 
process, when the user enters the password Nc 
pushbuttons after the verification of the identification 40 
number IDU' and tfie setting nurrfoer Ns* by the akxTve- 
descrit>ed procedures, the IC card terminal 2 aeates 
the random number R and sends it to the IC card 6. The 
IC card 6, in turn, creates the random nurTt>er X and 
tfien generates a digital signature SU(R * X) for the ran- 45 
dom numbers R and X by use of the card secret keys pU 
and qU. thereafter sending the random nurrfoer X and 
the card pUMickeynUtothe IC card terminal 2 together 
with the digital signature SU(R * X). 

The IC card terminal 2 verifies the digital signature so 
SU(R * X) by the card public key nU to ensure that the 
IC card 6 is a valid party. Then the IC card terminal 2 
creates a digital signature ST(R * X * Nc) for the random 
nurTt>ers R and X and the password f4c by use of the 
terminal secret pT and ql and transmits the termi- ss 
nal piMc key nT and the password Nk: to the IC card 6 
together with the digital signature ST(R " X * Nc). The IC 
card 6 verifies the dgital signature ST(R * X * Nc) by the 



terminal pubIc key nT to ensure tf^ the IC card Xemi- 
nal 2 and the password Nc are vaDd. and records the 
password Nc in ttie RAM 62. tn tttis embodiment, since 
the rarvtom nurrbers generated by the IC card terminal 
2 and the IC card 6 are ised tn the transn^sion and 
receptk»i of data between tfiem. the signals used will 
not ever have the same contents-tfus prevents an 
abuse of the system through utilization of an intercepted 
signal. Moreover, the IC card temrdnal 2 and the IC card 
6 create (figital signatures and verify them t>y each 
other, provicfing increased security 

Rg. 16 is a (fiagram shming another example of 
the process for receiving a s&vk^e at the IC card termi- 
nal 2 through of the IC card descrfoed previously 
with reference to Rg. 14. When the user enters the 
password Nc* by pushbuttons after he inserted the IC 
card 6 into the IC card terminal 2 and ttie kientffication 
number IDU was verffied by the procedure as descrft>ed 
previously in respect to Rg. 14, the IC card terminal 2 
generates the random number R and sends it to the IC 
card 6 together with the password Nc*. The IC card 6 
matches the received password He' with the password 
He stored in the memory and. if th^ match each other, 
the IC card terminal 2 generates the random number X 
and creates the dgital signature SU(R * )0 for the ran- 
dom numbers R and X by use of the card secret keys pU 
and qU. thereafter sending the random number X and 
thecardpubGckeynUtothe IC card tomlnal 2 together 
with the digital signature SU(R * )g. 

The IC card terrrunal 2 verifies the digital signature 
SU(R * X) by the card public k^ nU and judges that the 
IC card 6 and the password are tx>th vafid. and then the 
IC card terminal 2 provides on the display 13 an indica- 
tion that the service specified by the user is possible 
and executes the servica Upon connpletfon of the serv- 
toe. the IC card terminal 2 records the Uenttfk:atk>n 
numft>er identifying the user, the data of use D and the 
servfoe charge V in the service infonmation area 2M6 in 
its internal memory and then ejects the IC card 6. thus 
completing the process. As is the case with the Fig. 14 
embodiment the data in the servk;e informatfon area 
2M6 transmitted to the management center 4 periodi- 
cally, or when the anrKxmt of data stored reaches a fixed 
value, Of when the IC card terminal 2 is poDed by the 
management center 4. 

In the atxive, it is possible to deal with the foss of 
the IC card 6 or similar trouble, by adopting a system 
configuration in which the card identification number 
IDU for specifying the IC card 6 and the master digital 
signature SA(IDU) 

In the above, if the card identification number IDU 
for specifying the IC card 6 and the ntaster digit signa- 
ture SA(1DU) for the card identification number IDU cre- 
ated by the managen^ center 4 by use of the master 
key are registered in the EEPROM 64 of the IC card 6 
when the IC card 6 is issued by the management center 
4, and also if the card identification nurTt)er IDU is sent 
together with the master digital signature (SA(IDU) to 
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thelCterTnT^2wh8n 0ie IC card 6 is inserted into the 
IC card termina] 2 then the IC card termrnal 2 can verify 
the master digital signature SA(IDU) by ise of the mas- 
ter pubBc key to check the valicfity of the card identifica- 
tion number. As a result, it is poes3)le to deal with the 5 
toss of the IC card 6 or sin^ trout}la In otfier worcte, 
wfien the user reports the loss of the IC card 6 to the 
management center 4, tfie latter registers the card iden- 
t^ication nuirberofthattCcard6inablack list in the IC 
card teminal 2 by down load. The IC card terminal 2 70 
compares the card Identification number IDU with those 
in the black 1^ whai the IC card 6 is inserted thereinta 
tf the card identiftcation number of the inserted IC card 
6 matches any one of the identification numt>ers regis- 
tered in the black Ost. then the IC card 6 can be inhSMted is 
from use. 

With a system configuration in wtvch date informa- 
tion is ixestored in the EEPROM 614 of the IC card 6 
and sent to the IC card terminal 2 tog^her with the card 
iderrttfication number IDU whm the IC card 6 is inserted 20 
thereinto and compared with a calendar incorporated in 
the IC card terminal 2 to judge whether the IC card 6 
can be used w not it is possble to enrploy the IC card 
6 as a card having a Bmited temn of vafidity. 

By storing algorithms for encryption of trartsnusston 25 
data and common keys for encryption and decryption in 
both of the IC card 6 and the IC card terminal 2, the 
communicatnn between them can t>e made as a cipher 
communication, provicSng increased security. 

As will be seen from the atx3vep in the case of 30 
employing the IC card 6and the IC card terminal 2 in the 
embodiment of Rgs. 13 through 16, the IC card 6 and 
the IC card terminal 2 mutually verify their validity arxi 
the validity of the user is verified by the IC card 6 
through the IC card terminal 2-th^ eliminates the need 35 
of accessing the management center having a data- 
t>ase concerning user information when receiving a 
service or setting a password, and hence permits easy 
system configuration. Since there is no need of access- 
ing the management center, the verification time can be 4o 
reciiced and the operatiility of the system is increased. 
Moreover, since the identification number is verffied on 
the basts of the digital signature created by use of the 
master key tfiat is known to the management center 
alone, the digital signature could never be created using 45 
the identification number of arKither user, lor exampla 
Further, ihe password cannot be known from an IC card 
picked tp and the iderrtificatkni nurTt)er and the setting 
number are ateo unkrxiwn; hence, the password cannot 
be changed either. It is possible, therefore, to construct so 
a system of excellent security. 

Fig. 17 illustrates a modified form of the IC card 
system shown in Rg. 1 6. The IC card tenrunal 2 and the 
IC card 6 are identical in their internal construction with 
those depicted in Rgs. 2 and 3. In the card information ss 
area SM^ in the EEPROM 64 of the IC card 6 there are 
prestored, at the time of issuing the IC card 6, the secret 
keys pU and qU fa the aeation of its digital signature, 



the public key nil for verifying the digital stgnature; the 
IC card identfficaticHi number IDU and the m^ter digital 
9 gnature SA(n U * I D U) of th e mar^g^n^t c&rter 4 for 
the identification nunto IDU and the public tey nil. 
The IC card 6 has the password Nc stored ther^ by the 
process described previously with respect to Rg. 15 or 
17. The identification number IDU of the IC card 6 is 
prestored in the management center 4. The user inserts 
the ICcard 6 into the ICcardtemvmU 2 when to receive 
h^ desired sennce. After completion of the service, the 
mar^gentent center 4 performs the charging process 
for the IC card 6 used. 

When ir^erted into the IC card reader/Writer 11 of 
the IC card terminal 2. the IC card 6 sends thereto the 
pieces of information nU, IDU and SA(nU * IDU). The IC 
card terminal 2 verifies the master digital signature 
SA(nU * IDU) by the master pubOc key nA and, if it is 
valid, provides a guidance on the cfisplay 13 to prompt 
the user to enter the password Nc. 

Wh&i the user enters the password Nc* by function 
buttons 12, the IC card terminal 2 sendte the entered 
password Nc' and the random nunrter R, generated b^ 
the IC card terminal 2, to the IC card 6. The IC card 6 
matches the received password Nc' with the password 
He prestored in the memory. When they match each 
other, the IC card 6 generates the random number X 
and creates the digital signature SU(R * X * Nc) for the 
random numbers R and X and the password Nc by use 
of tfie seaet keys pU and qU stored in the card informa- 
tion area 6Mt in the EEPROM 64. The digital signature 
SU(R * X Nc) thus created is transmitted to the IC card 
terminal 2 together with the random rujmber R. 

The IC card terminal 2 verifies the digital signature 
SU(R * X Nc) by the card public key nU also received 
from the IC card 6 arxJ, if the digital signature is valid, 
then displays a guidance on the display 1 3 to pronrpt the 
user to specify the service to be provided. In the case of 
a communication service bf telephone, the user enters 
the telephone numt)er of the other party's telephone 
(not shown) tsy the function buttons 1 2, after whk:h a call 
to the other party's telephone is originated. Upon com- 
pletion of the call or communication, ihe IC card termi- 
nal 2 transmits to the IC card 6 infonnation which is 
used to deal with a trouble, such as the service charge 
V, the data D and the ternrunal identification nunt)er IDT, 
and serthce information M = (V * D * IDT) which the user 
wants to make sure aftenward. The IC card 6 stores the 
service infonnation M in the EEPROM 64 and creates 
and sends a digital signature SU(M * IDU) for the serv- 
ice information M arxJ ttie card identification number 
IDU to the IC card tenminal 2. 

The IC card terminal 2 verifies the digital signature 
SU(M MDU) by the card public key nU and, if valid, tem- 
porarily stores it in ttie service information area 2Mg of 
the memory in the telephone controller 14 together witti 
ttie pieces of information IDU, nU and M. The data thus 
stored in the service information area 2M6 is transmitted 
via the communication network 3 to the nr^nagement 
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center 4. for example, every weeK orwhentheanxxm! 
of data thus ^ed reaches a fixed value, or the IC card 
terminal 2 is pdled by tfie management center 4. It is 
also possi)le to (firectly connect portatsle terminals to 
the tC card tenninal 2 to receive arid send ther^rom the 5 
(filial signature SU(M * IDU) to the man^ement center 
4. The management center 4 further verges the (figital 
signature SU(M * IDU) and reocHds the service Informa- 
tion M for each IC card identtficalion numbo- IDU. which 
Is used for charging purpose or for making various 10 
inquiries. 

It is poss&le to provide increased security against 
wire tapping through utSization of a method in which the 
IC card 6 and the IC card terminal 2 both have a specific 
key for encrypting and decrypting varfous pieces of is 
information whk^ are transnvtted and recoved t>6tween 
tfie IC card 6 arxl the IC card temrinal 2. Moreover, by 
making provisfon for prestoring ternvof-vaDdity infbrma- 
tfon in the IC card and verifying it t>y a dock in the IC 
card t^rnnal. it is possible to inha>it the abuse of the IC 20 
card after b&nQ lost 

With an arrangement wherein the kJentification 
number IDC of the card dispenser 5 which records initial 
information in the IC card, the master digital signature 
SA(IDC) of the management center 4 for the kl^itrfica- 25 
tion number IDC and the master piMc key nA for verify- 
ing the signature are prestored in tfie IC card at the time 
of issiing it and these pieces of information are trans- 
mitted to the IC card terminal 2 for venfk:atk)n when the 
ICcard6isi^ed,itispossit)letomakBachecktoseeif 30 
the IC card 6 is a valid one issued from the valid ICcard 
dispenser. 

While in the above errtxxJiments the user enters 
the password into the IC card terminal with a view to 
presenting the abuse of a lost IC card, the password 3s 
may be omitted according to servfoes or in accordance 
with user'^ wishes. In this instance, the process shown 
in Rg. 1 7 is performed without using the password Nc. 

Further, in transmission of data to the management 
center 4. for exarrple, in a practical system in which the 40 
present invention is inplemented. data C which is not 
particularly needed may be added to data nUl IDU, 
SA(nU * IDU) so that a suffident amount of data nU, 
IDU. 'C and SA(nU * IDU " C) can be transmitted to pre- 
vent abuse of a card if it is not possible to prevent an IC 45 
card from t>eing abused by transmitting only data nU, 
IDU. SA(nU " IDU) a the fike. 

Thus, according to the embedment of Rg. 17, 
since the intonnatfon for specifying the IC card 
appended with the digital signature of the management so 
center 14 can be verified at the IC card terminal, the 
management center 4 having a datat>ase concerning IC 
cards need not be accessed before receiving sendees 
and the use of an invalid IC card can t>e prevented. 
Moreover, the service intonnation such as the service ss 
charge to be paid or the history of use which is used in 
the case of a trout)le or used as a reference by the user 
is appended with the cfigital signature of the IC card and 



li'aiibi lilted to the IC card teminal, from wfiich tfie serv- 
foe informatfon appended with tfie cfigital signature is 
transnvtted to a cfiarging center for storage tfierein. The 
servfoe tnformaticn tfius stored in the center can be 
ised as evidence in the case of d^fing with a trouUa 
It w31 be apparent that many modifications and var- 
iations may t>e effected witfiout departing from the 
scope of tfie novel concepts of tfie present invention. 

Claims 

1. A method of settling charges in response to the use 
of an IC card tfiat has been issued from a manage- 
ment center tfircujgh an IC card dSsp&iser, for 
obtaining a service at an IC card terminal, sakJ IC 
card tenminal fiaving terminal information memory 
means into wfvch are written from saki manage- 
ment center a master publk; nA for verfffoation 
of a master cfi^tal signature SA aeated by sakJ 
management center by use of master keys pA and 
qA, terminal secret keys pT and qT for enabGng 
sakJ IC card terminal to create a digital signature, a 
terminal piAAtc key nT for verification of sakJ digital 
signature created by said IC card tenranal, a termi- 
nal identification number IDT and a second master 
(figital signature SA2 aeated use of sakJ master 
keys pA and qA for informatfon induding said termi- 
nal kientifkation nunfoer IDT and said terminal 
publfo key nT, sakl IC card having card information 
memory means into whfoh are written from said 
management center sakf master public key nA, 
card secret keys pU and qU for enabling said IC 
card to create a digital signature, a card public key 
nU for verifk^ation of sakJ digital signature created 
by saki IC card, a card klentificatfon number IDU. a 
first master digital signature SA1 created by use of 
saki master keys pA and qA for informatfon includ- 
ing saki card kienttficatfon number IDU and saki 
card publk; key nU. amount value informatfon V and 
a third master digital signature SA3 for information 
induding saki amount value informatfon V and saki 
card kientifkalfon nunfoer IDU, saki method t>eing 
characterized by: 

a step wherein saki IC card transmits saki card 
put)lk; k^ nU, saki card kientificatfon nunrfoer 
IDU and saki fir^ master digital signature SA1 
to saki IC card terminal; 
a step whera'n saki IC card terminal verifies 
saki first master digital signature SA1 received 
from said IC card and, if it is valki, transmits an 
authentication notice to saki IC card; 
a step wherein saki IC card creates a card dig- 
ital signature SU for information induding saki 
amount value informatfon V by use of said card 
secret keys pU and qU, and transmits saki 
amount value informatfon V and saki card (fig- 
ital signature SU to saki IC card terminal upon 
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receiving said authentication notice from said 
ICcafd terminal; 

a step wherein said IC card terminal verges 
said card (figrtal signature SU received from 
said tC card by use of said card public key nil s 
and, if said amount value information V 
received frcmi said IC card is correct and also 
tfie amount value is larger than a charge 
needed to carry out said service, initiates said 
service; ro 
a step wherein, after completion of said serv- 
ice, said IC card terminal creates an i^xlated 
remaining amcxint value V in wttich said 
charge for said service is subtracted from said 
amount value and ateo aeates a terminal dig- is 
ital signature ST for information indudirtg said 
updated remaining amount value V* and said 
card identification number IDU tyy of said 
terminal secr^ keys pT and qT; 
a step wherein said IC card terminal transmits 20 
said terminal digital signature ST, said updated 
remaining amount value V*, said second mas- 
ter digital signature SA2, said terminal putilic 
key nT and said terminal kJentirtcation nurTt>er 
IDT to said IC card; and 2s 
a step wherein said IC card verifies sakJ sec- 
ond master digital signature SA2 and said ter- 
minal distal signature ST received from said IC 
card terminal t)y use of said master public key 
nA and said terminal pM)c key nX respec- 30 
tiveiy, and, if they are vafid, stores said updated 
remaining amount value V* in said card infor- 
mation memory means. 

The method of claim 1 wtierein said IC card termi- 3s 
nal irK^ludes mearts for storing invalid card klentifi- 
catton nunt>ers as a card identification number list, 
and said IC card Includes means for storing i^ge 
information which is information including the 
remaining amount value V* when said IC card ms 40 
last used; and wherein 

said IC card trarrsmits said card identif icatkm 
nunt}er IDU and said usage information in addition 
to said amount value information V and said card 
digital signature SU to said IC card terminal when 45 
said authentication notice is received from said IC 
card terminal; 

said IC card terminal compares said card 
identification numt}er IDU received from said IC 
card with the card identifk»tion nunnbers in said so 
card identification niint)er list and, when said card 
identification number IDU does not accord with any 
one of the card kientification nurTt)ers in saki card 
kientifk^tion number list, initiates saki requested 
sennce;and ss 

sakJ IC card stores information including 
saki remaining amount value V* and sakJ t^iranal 
kfentifk^ation number IDT received from saki IC 



card tenrr^na! as updated usage information in saki 
card information memory means when saki second 
master (fig^ signature SA2 and saki ternir^ (£g- 
ital signature ST are valki. 

3. The metfKXl of claim 2 furth^ inducfing the steps 
of: 

a^tting, at saki IC card terminal, usageMian- 
agement information from infbnmation inctucfir)g 
saki amount value infonnation V, saki card 
kientification numba* IDU and saki usage infor- 
mation received from saki IC card prior to the 
start of saki service, only in the case of trans- 
mitting said Lfxiated amount value information 
Vtosaki IC card; 

transmitting said isage/management informa- 
tk>n from saki IC card terminal to said manage- 
ment center together with said card 
kientifkstion number IDU; and 
additionally storirtg, at saki IC card temninal, 
any card kfentification number received from 
said management cerrter in saki card identif k»- 
tion numt>er list 

4. The mettiod of claim 3 wherein saki management 
center has a datak>ase for storing usage/manage- 
ment information for each IC card ident^ication 
nurTi>er, and compares saki card kientiTication 
nunri>er IDU and saki usage/management irrfbrma- 
tion received from saki IC card terminal with card 
kientification numbers and usage/hianagement 
information registered in saki database, respec- 
tively, arvi when saki card kientification number IDU 
and saki usage/hnanagement information do not 
accord with any of said card kientifk:ation numbers 
and any of saki usage/hianagement information's, 
respectively, additionally registers said card kientifi- 
cation nMrTt>er IDU and saki i^ge management 
infbnmation received from saki IC card terminal in 
said datat>ase, wfiereas when saki card kientif Na- 
tion numt}er IDU and saki usage/hmanagement 
information accord with one of saki card kientifica- 
tion numbers and one of saki usageAnanagement 
information, respectively, said management center 
transmits saki card kientifk^on nurTt>er IDU to 
said IC card terminal. 

5. The method of daim 2, 3 or 4, wfierein at least one 
of saki IC card arvi saki IC card terminal fias ran- 
dom nurTt>er generating means, and saki usage 
inkxmation contains a rarxiom number generated 
by said rarxiom number generating means. 
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